The latest Facebook securityblunder involves photos from 6.8 million users. The company shared in an update on its developer page today that a bug allowed third-parties to see photos from Facebook users who had uploaded, but chose to not post them to the social media service.

As reported by TechCrunch, Facebook detailed in its post today that the flaw occurred between September 13-25.

Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018.

There were several scenarios in which the API bug affected users:

When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post.

At this time, Facebook believes the flaw affected up to 1,500 third-party apps from almost 900 developers, used by up to 6.8 million Facebook users.

Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.

Facebook says that is is working on building a tool for developers to be able to tell which users were affected by the flaw. It will also be letting users know if they were impacted with Facebook alerts. The company recommends users to check out what permissions third-party apps have for their Facebook accounts.

As for an apology, Facebook offered a super short one toward the end of the post: “We’re sorry this happened.”